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(57) Abstract 

Methods for non-repudiable, 
non-trackable, possibly one-way identification 
and validation of remote entities to identi- 
fication devices, wherein the identification 
devices do not require access to databases 
of remote entity information. An arbitrator 
entity preferably characterizes and distributes 
a specific algorithm to each remote entity. 
An identification device (or system operating 
an identification device) preferably distributes 
one reversible algorithm to each remote 
entity. Each time a remote entity identifies 
itself to an identification device, it applies 
its arbitrator provided algorithm to either a 
time-based variable (one-way identification) 
or to a challenge provided by the identification 
device, computing a first result. The remote 
entity then applies the reversible algorithm 
to the challenge/time-based variable, to its 
identification data and to the first computed 
result, computing a second result which 
is transmitted to an identification device. 
The identification device then may apply 
the reverse algorithm to the second result, 
computing a presumed challenge/time-based variable, presumed identification data and presumed first result. The identification device then 
may compare the challenge/time-based variable to the presumed challenge/time-based variable. If they match (within some tolerance for a 
time-based variable), the identification device transmits the presumed first result, the presumed identification data and the challenge to the 
arbitrator. The arbitrator then may apply the particular algorithm distributed to that remote entity and apply it to the challenge/time-based 
variable, thereby computing a valid first result. Hie arbitrator then may compare the valid first result to the presumed first result. If they 
match (within a tolerance for time-based variables), the arbitrator may corroborate the authenticity of the identification to the identification 
device. 
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METHODS AND APPARATUS FOR THE SECURE IDENTIFICATION 
AND VALIDATION OF THINGS AND EVENTS 

TECHNICAL FIELD 

5 

The present invention generally relates to methods for identification, including remote 
identification and validation of messages. The methods of the present invention provide security 
in various transactions by validating and identifying various entities, while avoiding the 
necessity of conventional authentication procedures or the need to store databases of 
10 information available to an identification device. 

BACKGROUND OF THE INVENTION 

Various service providers (e.g., Social Securities, Telecoms (PATS), financial 

15 institutions, brokers, banks, merchants, etc.) are often involved in transactions requiring the 
identification and validation of a remote entity (e.g., an individual, organization, smart card, 
message, account, etc.). These service providers often provide their services to remote entities 
over various telecommunications media, for example, Internet, phone lines, etc. Naturally, it is 
important for these providers to ensure during each transaction that the remote entity is not an 

20 imposter. Accordingly, they often employ various identification devices to identify and validate 
remote entities, these devices being referred to herein as Identification Devices. For ease of 
discussion, a remote entity authorized to engage in transactions, but perhaps not yet identified 
and/or authenticated by an Identification Device for a particular transaction, is referred to herein 
as an "Authorized Remote Entity" or "Authorized Entity." 

25 One method commonly known in the art and employed by Identification Devices for 

securely identifying a remote entity is to add "authentication" to an otherwise normal 
identification process. Authentication is typically accomplished by providing an additional 
piece of information to an Identification Device, e.g., a secret code, along with identification 
information. This additional information then may be used to corroborate that the identification 

30 is accurate and that the remote entity is not an imposter attempting to impersonate an authorized 
entity. The additional piece of information is often a secret code or a password (e.g., PIN), but 



l 



WO 99/27676 - PCT/IB98/01834 

also may be a Dynamic Code, preferably computed using a software implemented algorithm. 
Alternatively, the additional information may be provided by a token (e.g., Bio-Token) carried 
by the entity (e.g., individual) to be identified. 

Non-variable (i.e., constant or static) information or data (e.g., PIN) can only add limited 
5 security to the identification process because a static piece of information eventually may 

become known to a third party (e.g., potential attacker/impostor/eavesdropper) in which case an 
authorized entity can easily be impersonated. On the other hand, authentication by means of a 
variable piece of information (referred to herein as a Dynamic or One Time Code) provides 
enhanced security. 

10 Currently known methods of authentication which use a Dynamic or One Time Code 

typically require a prior step of identifying the remote entity to the Identification Device, e.g., 
by providing a name (e.g., a login name), a serial number, an additional fix code, etc. as part of 
a message transmitted from a Remote Entity to an Identification Device. This constant part of a 
message will be referred to herein as an Identification Message. Thus, a method commonly 
1 5 employed by an Identification Device to securely identify a Remote Entity by authentication 
typically comprises the three following steps: 

1) Identification: identify who the Remote Entity is supposed to be, by receiving a 
constant (non- variable, or at least non-constantly- variable) piece of information, 
referred to herein as an Identification Message; 
20 2) Database Search: the Identification Devices searches a database containing the 

Authorized Entity's secret information or computing keys, to compute a dynamic 
piece of information (referred to herein as a Valid Dynamic Code) which is 
associated with and expected from the Authorized Entity at that particular 
moment; and 

25 3) Authentication: the Identification Device compares the Valid Dynamic Code 

(computed at the Identification Device) with a Dynamic Code received from the 
Remote Entity (referred to as the Received Dynamic Code) to check if both 
codes match; if so, the Identification Device corroborates the identification of the 
Remote Entity as being the Presumed Entity. 

30 A variation of the above-described authentication method is referred to as the Challenge 

and Response method, comprising the following steps: 
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1) The Remote Entity is identified (as described in step 1 above); 

2) The Remote Entity receives a Challenge generated and sent by the Identification 
Device and computes a Response, the Response playing the role of a Dynamic 
Code; 

5 3) The Identification Device, after identifying the Remote Entity (the Pre- 

Authentication Identification), requires a database to determine the expected 
response to the challenge, for that Remote Entity at that moment. 
Each of the authentication schemes described above requires the Identification Device to 
employ a database or look-up table. Naturally, each database must be maintained and updated, 
10 which creates problems associated with the management of keys, synchronized database 

updates, etc. Furthermore, these problems become acute when a service provider utilizing an 
authentication process has a multitude of Identification Devices disseminated through several 
countries. Accordingly, methods of authentication are needed which overcome limitations and 
drawbacks associated with the use of databases in authentication methods currently known in 
15 the art. 

Another problem associated with conventional schemes for Remote Identification is the 
possibility of "repudiation" by an identified and authenticated Remote Entity. For example, a 
Remote Entity, which has been identified and authenticated as being an Authorized Entity, may 
later deny the genuineness of a particular communication or event under scrutiny. To illustrate, 

20 in the case of a Gambling Service Provider (although identification and authentication 

techniques may apply to any service provider, Gambling Service Providers are used for this 
example), Remote Entities (e.g., gamblers) may place bets from remote locations and pay for 
those bets using Credit Cards. Naturally, before a particular Remote Entity places any bets, the 
Gambling Service Provider identifies and authenticates that Remote Entity by a procedure 

25 similar to those described above. Once the bets have been placed, one of the Remote Entities 
wins a prize, while all of the remaining Remote Entity gamblers lose. This situation presents an 
opportunity for any number of losing Remote Entities to repudiate their particular betting 
transaction, including the identification and authentication process, claiming that they never 
made the transaction/bet, and that the Gambling Service Provider fabricated the transaction or 

30 made a mistake. Because each Remote Entity is authenticated by the Provider's Identification 
Device, and further because the provider includes a database containing secret information, the 
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Provider has the capability to compute as many Valid Dynamic Codes as the Gambling Service 
Provider may desire, and an unscrupulous Gambling Service Provider thereby has the ability to 
fabricate transactions. Accordingly, when a Remote Entity repudiates a transaction, there is no 
way to prove whether the Gambling Service Provider fabricated the transaction or the Remote 

5 Entity has repudiated a valid transaction. Of course, if all the losing Remote Entities repudiate 
their transactions, the effect on the Gambling Service Provider may be disastrous. 

As illustrated in the example above, present methods of authentication intrinsically are 
subject to the negative effects of transaction repudiation, due to the fact that the 
receiving/identifying/authenticating side of each transaction has the capability to compute a 

10 secret Dynamic Code as accurately as the Remote Entity. Accordingly, new methods are 
needed which avoid Remote Entity repudiation of transactions. 

A further drawback of authentication methods known in the art and described above is 
the fact that a Remote Entity is trackable. In other words, an eavesdropper may follow every 
transaction made a particular Remote Entity because that Remote Entity transmits the same 

1 5 constant identification information for every transaction. This ability to track a Remote Entity 
creates a lack of security and privacy for many Remote Entities (e.g., especially government 
officers, ministers, police officers, etc.). Accordingly, new methods of identification are needed 
which avoid the trackability of Remote Entity transactions. 

20 BRIEF SUMMARY OF THE INVENTION 

The present invention discloses methods for secure identification of entities, whereby no 
authentication process is necessary. In othei words, the present invention comprises various 
One Step/One Way Identification Procedures whereby only a secure identification step is 

25 required, without the need of an additional authentication step. Furthermore, these methods of 
identification help to avoid the possibility of impersonation because a part of each identification 
process is variable and valid only one time. Consequently, the identification process cannot be 
intercepted and re-used, is non-repudiable and is non-trackable. In addition, by utilizing the 
methods of the present invention, the need for an Identification Device, as described above, to 

30 have access to a database of authentication data is alleviated. 
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The invention comprises the use of Reversible Algorithms, as shown below, in 
accordance with the principles disclosed in US patent 5,524,072 issued to Labaton et al., hereby 
incorporated by reference. 

According to a preferred method of the present invention, reversible algorithms (e.g., 

5 mathematical algorithms) may be used in conjunction with a Challenge-Response method 
similar to that described above, wherein a Identification Device generates a random challenge. 
This challenge then may be transmitted to a Remote Entity. The Remote Entity generates a 
substantially or totally dynamic response (i.e., little or no constant part), and such response 
constitutes "secure identification information." It is important to emphasize at this point that, 

10 according to a preferred embodiment of this invention, an Identification Device does not need to 
know the identity of any Presumed Entity in order to identify a particular Remote Entity. 
Accordingly, an Identification Device is capable of checking the identification of a Remote 
Entity without the need of a database and without the need to know in advance who the Remote 
Entity is supposed to be (i.e., without the need to know an Authorized Entity). 

1 5 This invention further provides methods for non-repudiable identification, which means 

that the Remote Entity will not be able to claim that a Service Provider fabricated the 
identification message. This is accomplished by providing three different entities, namely, a 
Remote Entity, a Service Provider/Identification Device and an Arbitrator, wherein no single 
entity has access to all of the necessary data. 

20 The present invention further provides for systems and methods wherein a Response 

computation is composed of more than one step, the first step being a computation of the result 
(Rl) inferred from the Arbitrator Seed number. The result Rl will be one of the arguments of 
the Reversible Algorithm. 

In accordance with a further aspect of the present invention, an anti-repudiation feature 

25 comprises the following steps: first, a Service Provider receives an identification message from 
a Remote Entity; second, the Service Provider applies the reverse of the Reversible Algorithm 
to the signature, and recuperates the original arguments, including Rl. Because Rl is computed 
by the remote entity using the Arbitrator seed number, which is not known to the Service 
Provider, that means that a correct Rl, validated and corroborated by the Arbitrator, can come 

30 only from the Remote Entity, and can not be fabricated by the service provider. 
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BRIEF DESCRIPTION OF THE DRAWING FIGURES 

The subject of the invention will, hereinafter, be described in conjunction with the 
appended drawing figures, wherein like numerals designate like elements, and: 

Figure 1 is a block flow diagram of an exemplary initialization process for an Arbitrator 
and a System (e.g., a Service Provider which operates an Identification Device, ID 
Node, or multitude ID Nodes) according to the methods of the present invention; 
Figure 2 is a block flow diagram of an exemplary identification process for a 
challenge-response type identification according to the methods of the present invention; 
Figure 3 is a block flow diagram of an exemplary anti-repudiation process; 
Figure 4 is a block flow diagram of an exemplary identification process according to the 
methods of the present invention; 

Figure 5 is a block flow diagram of an exemplary time-based identification process, with 
drift correction, according to the methods of the present invention; 
Figure 6 is a block flow diagram of a further exemplary time-based identification 
process, with drift correction, and wherein an Identification Device has access to a 
database; and 

Figure 7 is a graphical representation of a preferred FTolerance function. 

DETAILED DESCRIPTION 

The present invention provides methods for secure identification of a Remote Entity by 
an Identification Device, wherein the Identification Device may not require the use of a 
dedicated local database. Furthermore, the methods of the present invention may provide for 
25 one-way, non-repudiable, non-trackable identification. Typically, an Identification Device is 
operated by a Service Provider, or any other entity requiring secure identification of Remote 
Entities, to engage in transactions with those entities (for simplicity, referred to herein as a 
Service Provider). 

In accordance with a first method of the present invention, a reversible algorithm 
30 (referred to herein as a Reversible Function) F_SYS ssn may be selected by a Service Provider 
out of a family of possible algorithms, preferably by selecting a System Seed Number (or SSN). 
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The Service Provider then may distribute the reversible algorithm to any or all of the Remote 
Entities authorized to engage in transactions with the Service Provider (Authorized Remote 
Entities). The Service Provider also may provide a specific Remote Entity Identification 
number (referred to herein as CJD) to each of the Authorized Remote Entities (e.g., a driver's 
5 license number). 

Each time a Remote Entity is to be identified by a Service Provider (e.g., for a particular 
transaction between the Service Provider and the Remote Entity), the Service Provider may 
select a random number (referred to herein as Ch or Challenge) and transmits it to the Remote 
Entity. The Remote Entity then may apply a function F_SYS ssn to the parameters CJD and 

10 Ch, thereby generating response R2 as follows: 
F_SYS ssn (C_ID,Ch) = R2. 

The response (R2) then may be transmitted to the Service Provider's Identification 
Device. At the Identification Device, the reverse of the system function F_SYS ssn (referred to 

herein as F"*_SYS ssn ) may be applied to R2, thereby recuperating C_ID and a number 
15 presumed to be Ch, referred to herein as Ch': 
F-^SYSssn (R2) = CJD, Ch'. 

The Identification Device then may compare Ch (sent) to Ch' (received/computed) and 
determine whether they match. If they match, C_ID is a correct and valid identification. 

In a preferred exemplary implementation of the above-described method, the present 
20 invention may utilize a Rabin Algorithm (known in the art). Accordingly, the Service Provider 
may select two large prime numbers, P] and P2, each of them being congruent with 7(mod 8), 

or alternatively, select a System Seed Number (SSN), from which two such prime numbers may 
be consequently inferred (See Figure 1, blocks 5 and 6); These two prime numbers will 
determine, as parameters, the Reverse Algorithm, as explained below, but the prime numbers 
25 will not be transmitted or communicated to the Remote Entity, and will remain as secret system 
keys under the supervision of the Service Provider (See Figure 1, block 7). The Service 
Provider then may calculate the product ?\ * ?2 = SM (referred to herein as a System Module) 
and send the System Module (SM) to Remote Entities, not necessarily openly, but preferably 
embedded in a function F _SYS ssn (See Figure 1, block 8). The F_SYS ssn may be masked on a 

30 chip. 
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A preferred exemplary model for the function F_S YS ssn may be specified as a function 
FF*M (x) as follows: 

FFm (x) = x2(mod M). 
The Remote Entity then may make the following computations: 
5 FFSM ( Ch ) = L 1 and then 

F^SM (L 1 ) = L2 m & * en 
FFsm (^2) = L3 and then 
FFsm (L3) = L4 and then 

10 and so on until q (where q is any natural number), 

FFsMCLq-l)"^ 

And then, defining the function LSB(X) as the 'Least Significant (n)Bit(s)' of X (where n is any 
natural number), the Remote Entity may make the following computations: 

FFsm (Lq) = T1 md then LSB(Tl) = cl 
15 FF SM (Tl) = T2 and then LSB(T2) = c2 

FFsm ( T2 ) = T3 2 nd then LSB(T3) = c3 

FFsm ( t3 ) = T4 ^ LSB(T4) = c4 



and so on until n, where n is the amount of digits of the concatenation Ch o C_ID, 
20 FF S m ( Tn - 1 ) = Tn and then LSB(Tn) = cn. 

The Remote Entity then may concatenate cl,...,cn and refer to the concatenation as C as 
follows: 

C = cl °c2 o c3 © c4 o o o o o o o o cn 
(wherein o stands for concatenation). 
25 Then, the Remote Entity may bitwise-xor C with the concatenation Ch o C_ID as follows 
(where "xor" corresponds to the "exclusive or" function): 

(cl ©c2 o c3° c4o 0000000 cn) ®(Ch o C_ID ) = V 
(wherein ® stands for bitwise-xor). 
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Then, the Remote Entity may compute Tn+m (m being any natural number) in the following 
manner: 

FF SM (Tn) = Tn+l 

5 and so on until n+m, 

FFsm (Tn+m-1) = Tn+m. 

The Remote Entity then may concatenate V and Tn+m as follows, resulting in R2 
(referred to herein as a Cipher): 
R2 = V o Tn+m 

10 At this point, a Remote Entity may transmit the Cipher R2 to an Identification Device. Because 
the Identification Device (or, e.g., Service Provider operating the Identification Device) knows 
the prime numbers P] and P 2 , it may reverse the algorithm and recover Ch and C_ID, as 

follows: 

The Identification Device may use the Euclidean Algorithm in conjunction with P] and 
15 P 2 , to compute LI and L2, such that: 
M Pi +L 2 P 2 = Hmod SM). 
Kl and K2 may be defined as follows: 

Ki=LiPi andK 2 = L 2 P 2 . 
Then, the following computations may be made as follows: 
20 Y] = Tn+m (mod Pj) and Y 2 = Tn+m (mod P 2 ). 

Then, the following computations may be made as follows: 

(mod Pi) and, 

if Z!« P l" 1)/2) = -l (modPi)thenZi =Pi-Zi. 
Then, the following computations may be made as follows: 
25 z 2 = Y 2 ((P 2 +1)/4) (mod P 2 ) and, 

if Z 2 ((P 2-^ /2 ) = -1 (mod P 2 ) then Z 2 = P 2 -Z 2 . 

Then, the following computations may be made as follows: 
Tn+m-1 =Z]K 2 +Z 2 Ki > 
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Then, applying the same procedure, compute Tn+m-2 ? and so on, obtaining all of the T\ until 
To- 

The Identification Device then may proceed as follows: 

Taking Ti, the following computations may be made as follows: 
5 Cj = LSB(Ti)forI = l„n. 

The results then may be concatenated as follows: 

C = cl °c2 o c3° c4oooooooo cn. 
Then, the Identification Device may XOR C with V as follows: 

[V = (cl °c2 o c3° c4o ooooooocn)® (Ch o CJD), sent from the Remote Entity], 
10 and then compute as follows: 
(cl oc2 o c3° c4 o o o cn) ® V = 

(cl o C 2 o c3o c4 o o o cn) ® (cl o C 2 o c3o c4'ooo cn) ® (Ch o CJD) = (Ch o CJD) 

Having recuperated the C_ID, the identification is complete. Recuperation of the Ch 
then may be used to authenticate the identification, to the extent that Ch should be exactly the 
1 5 same as the Ch sent to the Remote Entity. 

It is worth noting that the example shown represents an extremely secure methodology 
for identifying a Remote Entity because the sensitive secrets, namely, the knowledge regarding 
how to factorize the SSN (namely ?\ and P2) is only available at the Identification Device and 
not available to the Remote Entity (e.g., not stored in a token carried by the Remote Entity). Of 
20 course, any suitable mathematical (or other) manipulations or operations may be employed in . 
the context of the present invention. 

The present invention further provides methods for identifying one or more Remote 
Entities to a Central Identification Device (e.g., operated by a Service Provider) wherein the 
identification process is arbitrated by an Independent Arbitrator Entity. These methods 
25 preferably comprise the following steps: 

a) The Independent Arbitrator Entity may characterize a specific algorithm (or a 
plurality of algorithms) for each of the Remote Entities, and then distribute each 
algorithm to its respective Remote Entity; 

b) The Central Identification Device (e.g., operated by a Service Provider) may 
30 distribute one (or more) reversible algorithm to each of the Remote Entities; 
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c) Each time a Remote Entity is to be identified, the Remote Entity may apply the 
Independent Arbitrator Entity's algorithm to a challenge (Ch) provided by the Central 
Identification Device, thereby providing a first result Rl . The Remote Entity then may 
apply the Central Identification Device's reversible algorithm to the challenge Ch, to its 
identification data C_ID, and to the said first result Rl, thereby computing a second 
result R2 (the Cipher). The Remote Entity then may transmit the second result R2 to the 
Central Identification Device. The Central Identification Device then may apply the 
reverse of the reversible algorithm to the received second result R2, thereby computing a 
presumed challenge Ch', a C_ID, and a presumed first result Rl. The Identification 
Device then may compare the transmitted challenge Ch to the computed presumed 
challenge Ch\ If they are identical, the Central Identification Device may transmit the 
presumed first result Rl to an Independent Arbitrator Entity together with the Remote 
Entity's identification data (which may be C_ID or other data, for example a Remote 
Entity's Serial Number) and the challenge Ch. The Arbitrator Entity then may retrieve 
the specific algorithm transmitted from the specific Remote entity and apply the 
algorithm to the challenge Ch, thereby computing a true first result Rl . The Arbitrator 
Entity then may compare the true first result Rl with the presumed first result Rl and, if 
they are identical, the arbitrator entity may corroborate the identification to the Central 
Identification Device. Once the Central Identification Device has received the 
corroboration from the Arbitrator Entity, it may accept the presumed identification data 
C_ID as being true identification data corresponding to the Remote Entity. 
These methods (or other suitable operations) utilizing three entities (Remote Entity, 
Central Identification Device and Arbitrator Emily), provide for non-repudiabk and non- 
trackable secure identifications methodology. An exemplary implementation of these methods 
may comprises the following steps: 

a) In addition to Remote Entities and Identification Devices, utilize a third 
independent party, referred to herein, for example, as an Arbitrator Entity; 

b) The Arbitrator Entity may select a first algorithm (referred to herein as 

F^ARB 1 ASN) which preferably is selected from a family of algorithms F_ARB 1 , 
preferably by the means of a seed number (referred to herein as an Arbitrator Seed 
Number = ASN) (See Figure 1 Block 1). 
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An important purpose of this algorithm (^ARB 1 ASN) is to generate a different 
pseudo-random number for each Remote Entity (See Figure 1 , block 2). This pseudo-random 
number, referred to herein as RE AN (Remote Entity's Arbitrator Number), determines the 

algorithm (F_ARB 2 REAN) (see Figure 1, blocks 3 and 4) which may correlate the transaction 
5 related number Ch and, optionally CJD, with an arbitrator inferred number Rl. The REAN is 
preferably the result of the product of two large prime numbers, p'l and p'2, both of which may 
be congruent with 3(mod4). Hence the computed Rl may be different and specific for each 
transaction. 

Accordingly, the algorithm F_ARB* ^SN is suitably applied to a Remote Entity's 
10 openly known number, for example, the Remote Entity's Serial Number or any other publicly 
known number associated with the Remote Entity, to generate the REAN (Remote Entity's 
Arbitrator Number), as follows: 

F_ARB 1 A sn (Serial Number) = REAN. 

The second algorithm selected by the Arbitrator is referred to herein as F J^RB^REAN* 
15 which also preferably is selected from a family of algorithms by means of the previously 
obtained Remote Entity Arbitrator Number REAN (See Figure 1, block 3). 

It is worth noting that an Arbitrator only needs to select one number, namely the ASN, 
which is suitably the same for all the cases belonging to such Arbitrator. In contrast, the REAN 
is advantageously different and preferably dedicated for each Remote Entity, and the Rl is 
20 different for each transaction and inferred from the ASN to further enhance security. 

The Remote Entity may then apply the F ARJB^p^^j algorithm to Ch (and. optionally, 
to CJD), thereby getting a response Rl (see Figure 2, block 1 1), as follows: 
F_ARB 2 re AN (CJD, Ch ) = Rl . 

At this point, a Remote Entity may apply the F_SYS ssn algorithm to Ch, CJD and Rl, 
25 thereby retrieving the Cipher R2 (see Figure 2, block 12), as follows: 
F_SYS ssn ( Ch , CJD, Rl) = R2 (the Cipher). 

The Remote Entity may then transmit Cipher R2 to an Identification Device (e.g., ID 
Node or System Administrator) (See Figure 2, block 13). 
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The Identification Device may then receive Cipher R2 (see Figure 2, block 14). The 
Identification Device, which knows the values of P] and P2, then may non-repudiably identify 

the Remote Entity, without using any database, by applying the reverse of F_SYS ssn to R2. 

Accordingly, F"*_SYS ssn is applied to R2, thereby retrieving the original arguments, namely, 
5 CJD, Ch' and Rl , as follows: 

F-^SYS^ (R2) = CJD, Ch' ,R1. 

If Ch c is sufficiently identical to the Ch transmitted, then the CID is validated as being 
authentic, e.g., an authentic Entity Identification Number (See Figure 2, blocks 15 and 16). 

Rl then may be preserved to refute repudiations of such transactions. That is, cases 
10 where the Remote Entity denies that he/she/it had a Cipher (e.g., R2), or, in other words, when 
the Remote Entity claims that a Cipher (e.g., R2) was fabricated by the Identification Device 
and/or the controller of such a device (See Figure 2, block 17). 

Referring now to Figure 3, in the case of repudiation problems or, alternatively, for each 
desired case, the Identification Device may provide the Arbitrator with a Remote Entity's Serial 
15 Number, the Ch, the Presumed Rl, and, optionally, the CJD (see Figure 3, blocks 19,20 and 
21). 

The Arbitrator may then apply the F ARB 1 

ASN algorithm to the Serial Number, 

thereby obtaining the RE AN, as follows: 

FARB 1 A SN (Serial Number) = REAN (See Figure 3, block 22). 

20 The Arbitrator may then apply the F_ARB2jyg A j s j algorithm to Ch and, optionally, to 

C ID. and thereby obtain the true P 1 (see Figure 3. block 23) as follows: 
F_ARB 2 REAN (C_ID,Ch ) = Rl, which is the true Rl. 

The arbitrator may then determine whether the true Rl is identical to the Presumed Rl 
(see Figure 3, blocks 24 and 25). If Rl and the Presumed Rl are not identical, then R2 may be 
25 a fabrication (See Figure3 , block 27). On the other hand, if Rl matches the presumed Rl , it 
may be concluded that the R2 is coming from an Authorized Remote Entity, because the 
Identification Device has no means with which to compute (fabricate) a true Rl (see Figure 3, 
block 26). 
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According to another preferred exemplary implementation of the methods of the present 
invention, the Remote Entity may utilize an algorithm F_ARB 2 r£aN, characterized by an 
Arbitrator by means of a REAN, to compute the transaction specific Rl, using the transaction 
specific Challenge Ch transmitted by the Identification Device (e.g., ID Node/ System 
Administrator), as follows: 

the Remote Entity may compute: 

Mi = Ch 2 (mod REAN) 
M 2 = M 2 i (mod REAN) 

and so on, until p (any natural number) 

51 = M p = M 2 p _i (mod REAN). 
The Remote Entity then may compute: 

C'i =LSB(Si). 
Accordingly, 

5 2 « S 2 i (mod REAN) -> C 2 = LSB (S 2 ) 
and so on, until n: 

S n = S 2 n _!(mod REAN) -» C' n = LSB (S n ). 
The result is the following concatenation: 

Rl = Cjo o o o o o o o C' n . 

Accordingly, the above-described step F_ARB 2 reaN ( Ch ) = R1 thereby may be 
accomplished. 

According to a further preferred implementation of the methods of the present invention, 
a preferred implementation of the function F_SYS ssn is now presented. In accordance with this 
aspect of the present invention, a System Seed Number (SSN), selected by an administrator, 
may be used to infer a SM (System Module, as discussed above). The Remote Entity may make 
the following computations: 

Ti = Rl 2 (mod SM) => C! = LSB (T\) 

T 2 = T 2 i (mod SM) C2 = LSB (T 2 ) 
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and so on, to: 

T n = T 2 n .i (mod SM) => C n = LSB (T n ) 

T n +1 = T2 n (modSM) 

5 = 

and so on, to: 

T 2 n+m(mod SM). 
The C's then may be concatenated as follows: 

C — Cp o o o o o o °C n 

10 A Cipher (R2) message then may be computed as follows: 
R2 = [(C JD o CH)] ® C] o T n + m . 

Accordingly, the above-mentioned step F_SYS ssn (Ch ) = R2 thereby may be 
accomplished. 

Obviously, while a CID is always the same for a particular Remote-Entity, the Cipher 
1 5 should be different from any prior Cipher (R2), to the extent that the Ch is different from any 
prior Ch transmitted to a particular Remote Entity. 

The Remote Entity may transmit the Cipher R2 to an Identification Device (e.g., ID 
Node/System Administrator) and, because the Identification Device knows the prime numbers 
Pi and P2, the Identification Device may reverse the algorithm and recover Ch and C_ID. 
20 The Identification Device (e.g., ID Node/ System Administrator) may use the Euclidean 

Algorithm (or other suitable Algorithms) in conjunction with P] and P? to compute what is 

referred to as the reverse algorithm or Reverse Algorithm, F'*_SYS ssn . A preferred exemplary 

implementation of this computation is as follows: 

a) compute LI and L2 such that Li Pi + L2 P2 = l(mod SM); 

25 b) define K] = L\?\ and K/? = ?2; 

c) compute: 

Y j = Tn+m (mod Pj) and 

Y2 = Tn+m (mod P2); 
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d) compute: 

(mod Pj) 

and, if Zi ((P l" 1)/2) = -1 (mod Pj) then Z] = P]-Z 1; md 
Z 2 = Y 2 « P 2 +1 ) /4 ) ( modP 2 ) 

if Z 2 ((P 2" 1)/2) = -1 (mod P 2 ) then Z 2 = P 2 -Z 2; 

e) compute: 

Tn+m-1 =ZiK 2 + Z 2 K] ; 

and, applying the same procedure, compute: 

Tn+m-2 

and so on. obtaining all the Ti until Tq is recuperated. 
The Identification Device (e.g., ID Node/System Administrator) then may proceed as 
follows: 

a) using Ti, compute: ci = LSB(Ti) 

and so on for i = n,n-l,...,l (T\ is also recaptured); 

clearly, the Reverse algorithm applied to T] generates the Rl, which is stored together 
with the correspondent Ch for potential repudiationxases; 

b) the ci results are concatenated as follows: 
C = cl o c2 o c3 o c4 o o o o o o o o cn 

c) the Identification Device (e.g., ID Node/System Administrator) then may XOR 
C with V, thereby obtaining: 

(cl o c2 o c3 o c4 o o o cn) ®V = 

(cl o c2 o c3 o c4 o o o cn) ® (cl o c2 o c3o c4o o o cn) ®(Ch o CJD) = (Ch o CJD). 

Having recuperated the C_ID, the identification may be complete. The recuperation of 
Ch then may be used to authenticate the identification, to the extent that Ch should be exactly 
the same as the Ch sent to the Remote Entity. 

If a Remote Entity later repudiates the transaction, the Identification Device (e.g., ID 
Node/System Administrator) may provide the Arbitrator with the Remote Entity's Serial 
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Number, the transaction Ch, the presumed Rl and, optionally, the C_ID. The Arbitrator then 
may apply the F_ARB* aSN t0 the Serial number, thereby obtaining the REAN as follows: 
F_ARB! A sn (Serial Number) = REAN. 

The Arbitrator then may apply the F_ AR B 2 REAN algorithm to Ch and, optionally, to 

C_ID, thereby obtaining the true Rl, as follows: 

a) the Arbitrator may compute: 

Mi = Ch 2 (mod REAN) 

M2 = M 2 i (mod REAN) 
and so on, until 

S] = M40 = M 2 39 (mod REAN), 

(wherein 39 and 40 are examples only and may differ); 

b) the Arbitrator may compute: 
C ? i-LSB (Si); 

c) consequently: 

S 2 = S 2 i (mod REAN ) -> C 2 = LSB (S 2 ) 

and so on, up to 

S n = S 2 n _l ( mod REAN) -+ C' n = LSB (S n ). 
Accordingly, the result is the true Rl for this specific Remote Entity and for this specific 
transaction (Ch), wherein: 

Rl = C'jo 000000 oC' n 

The Arbitrator may then check whether the true Rl is identical to the Presumed Rl 
claimed by the Identification Device (e.g., ID Node/system administrator). If they do not 
match, the R2 is a fabrication. On the other hand, if the two numbers match, it is confirmed that 
the R2 is from the Remote Entity because the Identification Device has no means with which to 
compute (fabricate) a true Rl . 

It is worth noting that the example shown represents an remarkably secure methodology 
to identify a Remote Entity. The sensitive secrets, e.g., the knowledge on how to factorize the 
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SSR is available only to the Identification Device (e.g., ID Node/ System Administrator) and is 
not available to the Remote Entities (e.g., not in their tokens). 

According to another preferred exemplary implementation of the methods of the present 
invention, the methods and algorithms described above may be used, but, instead of having the 

5 Identification Device send a challenge (Ch) to the Remote Entity, the Remote Entity may use 
the Cipher's Generation Time, The time of the moment of computing the Cipher, the 
Generation Time and Date, the GMT and Date, or some other suitable time-based variable 
having a particular resolution, e.g., of seconds. For simplicity, this type of time-based variable 
will be referred to herein as Generation Time, or Gtime (see Figure 4, block 10b). 

10 Referring to Figure 4, a Remote Entity may proceed as in Figure 4, illustrating a non- 

repudiable, non-trackable, one-way identification method. The Remote Entity may transmit a 
message, which identifies the Remote Entity, to the Identification Device (e.g., ID Node, or one 
of various ID Nodes of a particular Service Provider), and this ends the protocol. Accordingly, 
during the time that the identification is being made on-line, both sides, Remote Entity and 

15 Identification Device, know the corresponding Gtime/Reception Time (see Figure 4, block 14b) 
and, consequently, the Identification Device may verify the identification (See Figure 4, blocks 
1 5b and 16b). If the Identification is not on-line, the Generation Time used in the computation 
may be communicated openly to the Identification Device. 

With regard to on-line transactions, to overcome possible drift between the time 

20 measured by the Remote Entity and the time measured by the Identification Device, two 
successive identification procedures may be accomplished during the same identification 
process (see Figure 5). The time elapsed between the two identification procedures also may be 
determined by the Identification Device (see Figure 5, block 19d), which will signal/ trigger the 
Remote Entity to send a new Cipher. Because the time elapsed is set by the Identification 

25 Device, this process avoids the possibility of an impostor using two pre-recorded Ciphers in an 
attempt to defraud the system. Hence, measuring the Absolute Value of the drift difference (see 
Figure 5, block 27d) the Identification Device can overcome the drift problem without 
compromising security. 

Another preferred exemplary implementation of the methods of the present invention 

30 comprises a process similar to that described in Figure 5, but instead of using the Gtime a 

Remote Entity may use a Remote entity's specific function of the Gtime, referred to herein as 
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F_T_RE(Time), which preferably is a linear function. The Identification Device (e.g., ID Node/ 
System Administrator) will require the knowledge to compute F_T_RE(Time), and therefore, a 
database may be necessary. 

As an example, a function of Gtime may be utilized wherein F_T_RE(Time) = 

5 REJTime = Time + RE_cte, and where RE_cte is a constant value, and is different for each 
Remote Entity (see Figure 6). Because, according to this particular implementation, the 
Identification Device may use a database anyway, it may be convenient to preserve the 
RE_Time and RTime of the previous transaction (referred to herein as RE_Time_pre and 
RTime_pre) in a database available to the Identification Device. This is in order to update the 

10 drift while the' RE_cte value is being updated, which absorbs the drift as is shown in Figure 6. 

The Identification Device, after receiving the RE_Time embedded in the Cipher and 
registering the RTime (Reception Time), will compare the difference: 

RE_Time - RTime 
with the previous difference (last recorded transaction): 

15 RE_Time - RTime 

which will be referred to herein as: 
RE_Time_pre - RTime_pre. 
This difference should be less than a tolerance value. The tolerance value may be a function 
(FTolerance) of the absolute value of the difference between RTime and Rtime_pre, as follows: 

20 FTolerance(RTime - RTime_pre). 

A preferred specification of FTolerance is shown in Figure 7. 

Although the invention has been described herein using specific examples of the various 
methods encompassed by the present invention, variations or alterations of the methods 
presented herein do not represent a departure from the spirit of the invention as set forth in the 

25 specification and claims. For example, the methods of the present invention may include the 
addition of encryption steps. Furthermore, the addition of DES to the cipher or permutations of 
it; the addition of transaction data to the cipher, whether such transaction data is encrypted or 
not; and/or the addition of Error Correction algorithms. Moreover, the sequential order of the 
steps or sub-steps illustrated herein are used only to explain the methodology presented, and do 

30 not limit or define the scope of the invention. Accordingly, slight variations in the 
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implementation and/or sequential order the method steps described herein do not represent a 
departure from the spirit and scope of the invention. 

Although the invention has been described herein using a general method for 
identification, many possible implementations of the methods presented by the invention are 

5 possible and remain within the scope of the invention. For example, these methods may be 
implemented in part wherein the Remote Entities are tokens or other portable devices (e.g., 
smart cards), or are the carriers of such devices. Moreover, the Identification Devices described 
herein may be in the form of PC's, ATMs, kiosks, or the like. Furthermore, the above- 
described methods may be masked or otherwise embedded into chips, and would not represent a 

10 departure from the spirit of the present invention. 

Although the invention has been described herein in conjunction with the appended 
drawing figures and specific functions, those skilled in the art will appreciate that the scope of 
the invention is not so limited. Various modifications in the selection and arrangement of the 
various components, method and steps discussed herein may be made without departing from 

15 the spirit of the invention as set forth above. 
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We claim: 

1 . An identification method for a multitude of to-be-identified-entities against a central 
identification entity, the said identification arbitrated by an independent arbitrator entity 
5 comprising the steps of: 

the independent arbitrator entity characterizing specific algorithms for each, and 
distributing the said algorithms to each of the to-be- identified entities; 

the central identification entity distributing one reversible algorithm for all and to all of 
the to-be-identified-entities; 
10 and for each identification operation, the to-be-identified-entity: 

applies the independent arbitrator entity's algorithm to a challenge selected 
by the central identification entity for such identification operation computing a first result, and 
then 

applies the central identification entity's reversible algorithm to the said 
15 challenge, to its identification data, and to the said first result computing a second result 
(cipher), 

and the to-be-identified-entity transmits the said second result to the 
central identification entity; 

whereas 

20 the central identification entity applies the reverse of the reversible 

algorithm to the received second result, computing a presumed challenge, a 
presumed to-be-identified entity's identification data, and a presumed first 
result; 

and whereas the central identification entity compares 
25 the challenge previously send to the said presumed challenge, and if they 
are identical, 

the central identification entity sends to the independent arbitrator entity 
the presumed first result, 

together with the to-be-identified presumed entity identification data or other 
30 identification data of such entity, and 
the said challenge, 
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and whereas the arbitrator entity retrieves the specific algorithm sent by him 
to the said to-be-identified entity and applies the said specific algorithm to the challenge 
computing the true first result, and compares such true first result with the presumed first result, 
and, if eventually are identical, the arbitrator entity corroborates the veracity of the 
5 identification to the central identification entity; 

and whereas the central entity, having received the corroboration from the arbitrator 
entity, accepts the presumed identification data as true identification data corresponding to the 
to-be-identified-entity. 

10 2. An identification method for a multitude of to-be-identified-entities against a central 
identification entity, the said identification arbitrated by an independent arbitrator entity, as in 
claim 1, but instead of receiving a challenge from the central identification entity, 
the to-be-identified-entity computes the time and date of the moment, applies the independent 
arbitrator entity's algorithm to the said time and date computing a first result, and then applies 

15 the central identification entity's reversible algorithm to the said time and date, to its 

identification data, and to the said first result computing a second result (cipher), and the 
to-be-identified-entity send the said second result to the central identification entity; 
and whereas the central identification entity: 

records the reception time of the cipher sent by the to-be-identified entity 

20 the central identification entity applies the reverse of the reversible 

algorithm to the received second result, computing a presumed time and 
date, a presumed to-be-identified entity's identification data, and a 
presumed first result; 

and whereas the central identification entity compares the said reception 

25 time to the said presumed time and date, and if they are alike according to a 

pre-established tolerance, the central identification entity sends to the independent arbitrator 
entity the presumed first result, 

together with the to-be-identified entity identification data or other 
identification data of such entity, and 

30 the said presumed time and date, 



22 



WO 99/27676 



PCT/IB98/01834 



and whereas the arbitrator entity retrieves the specific algorithm sent by him to the said 
to-be-identified entity and applies the said specific algorithm to the said presumed time and date 
received from the central identification entity, computing the true first result, and compares 
such true first result with the presumed first result, and, if eventually are identical, the arbitrator 
5 entity corroborates the veracity of the identification to the central identification, entity; 

and whereas the central entity, having received the corroboration from the arbitrator 
entity, accepts the presumed identification data as true identification data corresponding to the 
to-be-identified-entity. 

10 3. A system for secure identification comprising: 

an arbitrator configured to store and provide a different algorithm for each of a 
plurality of remote entities, comprising a first processor having access to a first memory; and 
an identification device configured to provide a reversible algorithm to each of 
said remote entities, comprising a second processor having access to a second memory; 
15 wherein each of said remote entities comprises a remote entity memory and a remote 

entity processor, and is configured to store one of said arbitrator algorithms, said reversible 
algorithm and remote entity identity information; and 

wherein said first processor cannot access said second memory and said second 
processor cannot access said first memory. 
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FIGURE 2 
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FIGURE 3 
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FIGURE 4 
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FIGURE 5 
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FIGURE 5 (continued) 
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FIGURE 6 
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FIGURE 6 (continued) 
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RE applies F_SYSsm t0 RE'JTime, C_ID and R'l 
F_SYS S M (RE'JTime, C_ID, R'1)=R'2 



I 
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RE sends R'2 to the Identification Device 
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Identification Device records the R'2's new Reception Time (RTime) 
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Identification Device applies P*_SYS to R'2 
p!_SYS (R^RE'JTime, CJD, R'l 
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Identification Device computes 
DT-DT=RE'_Time - REJTime - (RTime - RTime) 


68 



67 



no 




C_ID is rejected 



71 



yes 



CJD is certified and the RE ! _Time 
and the RTime are stored 
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FIGURE 7 



FTolerance(A.V.(RTime - RTime_pre)) 



Rejection area 




A. V. (RTime-RTime_pre) 
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